Administrators or managers may wish to change their password or update their notification settings. They do this from the User Settings dialog. This dialog is accessed by clicking on their user name in the upper left part of the page. The options available to change are:
Properties
The general properties required to set up a NetSpective administrator or manager. User Setting Properties
User Name A name to identify the user. This name is also their login name to the NetSpective Administration site. It can only be changed by an administrator from the Managers section.
Password The login password for the NetSpective Administration site.
Confirm Confirm the password given above.
Options
This refers to additional user specific options. These options will affect the usability of the NetSpective Administration website.
Lines Per Page
The ‘lines per page’ option shown on the listing page defaults to 20 rows. Additional lines are displayed on subsequent pages. The new lines per page value will be saved in a cookie and will affect all pages with paging. If you clear your browser cookies the lines per page value will revert to the default value of 20.
Notification Settings
In order to receive email notifications, an Email is required. Available notification types include product updates and abuse detection.
Notification Settings
Email An email address associated with the administrator or manager.
Product Updates If checked the administrator or manager will receive notification about product updates.
Abuse Detection If checked the administrator or manager will receive notification about abuse detection.
Block Page Overrides If checked the administrator or manager will receive notification about block page overrides.
Management
In this section you will find all the tools for managing Users, Groups, Managers, and their filtering policies. Any managers classified as a ‘Group Manager’ will specifically have access to only this section.
Management 27 Managers
In addition to the built-in admin manager, you may create other managers to delegate authority of your NetSpective. You may create manager accounts manually or you may use an LDAP source (such as Active Directory) to authenticate users and passwords. Managers may have different levels of authority, which are summarized by the table below.
Security Level Permissions
System Administrator Create/edit/delete other managers (except admin). Create/edit/delete Groups and Users.
Edit all of NetSpective's configuration options.
Authorize a temporary override of the block page for any group. Policy Administrator Create/edit/delete other managers (except admin).
Create/edit/delete Groups and Users.
Authorize a temporary override of the block page for any group. Edit all of NetSpective's filtering options.
Group Manager Edit the group policy for assigned groups and categories allowed by
security options.
Edit the group options for assigned groups.
Edit site overrides for assigned groups, if allowed by security options. Move users between managed groups, but cannot add or remove users or groups.
Authorize a temporary override of the block page for assigned groups. Mobile Device
Manager
Edit mobile pairings for assigned groups. Block Page Override
Manager
Authorize a temporary override of the block page for assigned groups.
Group Managers have additional configurable security options. The options include the ability to change the available permissions for managing Users and Groups. Group Managers also have security options to block access to the Overrides section, specific categories on the Group Policy page, and can be limited to managing only specific IP ranges. These options are only available for Group managers configured to authenticate manually (Local) or authenticate individual users using an LDAP source (LDAP Users).
Management 28 Creating or Updating Managers
There are two basic ways you can create managers that are recognized by NetSpective. You may create a manager via the 'Local' tab and set a password manually, or you may create a manager via the 'LDAP Groups' or 'LDAP Users' tabs and have LDAP handle password authentication. To create a manager click the 'Add' button from the control bar near the top of the page. To update a manager, click on the manager's name.
Management 29
Figure 2: LDAP Group
Management 30 Manager Properties
The general properties required to set up a NetSpective manager.
User Name - A name to identify the manager. This name will also be their login name for the NetSpective Administration interface and/or the block page override form.
Password - The manager's password. (Not applicable for LDAP Users) Confirm - Confirm the password given above.
Notification Settings
In order to receive email notifications, an email address is required. Available notification types include product updates and abuse detection. Note: The email address for LDAP managers is queried
automatically from the LDAP server.
Notification Settings
Email An email address associated with the manager. You may enter multiple
email addresses separated by commas (',').
Product Updates If checked the manager will receive notification about product updates. Abuse Detection If checked the manager will receive notification about abuse detection. Block Page Overrides If checked the manager will receive notification about block page
overrides.
Security Tab
You may choose which security level a manager or group of managers has. Click the 'Security Level' drop down to pick Administrator, Group Manager, or Block Page Override Manager. For Group and Block Page Override managers, select which groups they are assigned to by selecting the check boxes next to the group names in the group listing.
Management 31
The security level of an individual LDAP manager will override the security level of any LDAP groups he or she is a member of, and all managed groups must be explicitly set. For example, even if the LDAP group "Sales" is set to the security level of Group Manager, you may set LDAP user "Michael", who is a member of the "Sales" LDAP group, to be a higher or lower security level, such as Administrator or Block Page Override Manager.
LDAP managers who have not been assigned a specific individual security level will have a security level set to the highest of any LDAP groups they are a member of. For example, user "Tim" who is a member of both the "Sales" and "NetSpective Admins" LDAP groups will be an Administrator if the "NetSpective Admins" LDAP group is set to be Administrator level. As a different example, if user "Sally" is a member of both the "Sales" LDAP group and the "Corporate" LDAP group, and both "Sales" and "Corporate" are set to Group Manager level, "Sally" will be a Group Manager of all groups assigned to either "Sales" or "Corporate" to manage.
Management 32 Users Tab (Group Manager Only)
The Users tab provides the ability to grant or take away additional privileges for Group Managers. Managers can be granted access to create users, edit users, delete users, or import/export users. You will also have the ability to manage access to specific IP address ranges, also referred to as IP Partitions.
Management 33 IP Partitions
IP Partitions are used to limit access to specific IP Ranges. The partitions are assigned to Group
Managers. The managers will only be able to add and/or modify Users within the configured IP Ranges. This is a licensable feature in our service provider level license. Please contact our support team if interested in using IP Partitions.
Creating or Updating IP Partitions
To create a partition click the Add button at the top left of the dialog. To update a partition click the partition's link from the Partition list. Once the partition's data has been loaded in the right side of the dialog, update the necessary information:
Partition Name
The partition name is a required field and must be unique. The name is used to identify the IP ranges that are assigned to the partition.
IP Ranges
IP Ranges are unique to the partition. The range cannot include or overlap another range. A VLAN ID can also be assigned as part of an IP range. To add a range, input the start IP and end IP in the area at the top of the listing of IP Ranges. Once done, click the Add button. To edit an existing IP Range, select the range from the list. The range will be loaded into the area at the top of the listing. Once you have
finished editing the IP Range make sure you click the Save button. Check or select the IP Ranges and click the Delete button in the area at the top of the listing to delete the ranges.
Management 34 Deleting IP Partitions
To delete an IP Partition, select the check box next to each partition's name. Once the partitions are selected, click the Delete button to delete the partitions.
Groups Tab (Group Manager Only)
The Groups tab provides the ability to grant or take away additional privileges for Group Managers. Managers can be granted access to create groups, edit groups, delete groups, or import/export groups. You will also find an additional section for additional create and edit options. Here managers can be granted access to modify LDAP settings, modify block overrides, and modify abuse settings.
Management 35 Advanced Tab (Group Manager Only)
You may choose to disable access of certain options for managers. Managers can be blocked from accessing the Overrides section, preventing them from adding or modifying overrides. They can also be blocked from accessing the Mobile Pairing section. In Group Policy, managers can be blocked from seeing and accessing specific categories. This prevents them from being able to change a categories block or abuse settings.
Deleting Managers
To delete managers, select the check box next to each manager's name. To delete all managers
displayed on the current page, select the check box in the upper left-hand portion of the table. Once the managers are selected, click the Delete button to delete the managers. If all managers on a page are selected, the option to select the managers on every page will become available.
Assigning Groups to Managers
You may assign a manager to multiple groups by using the security tab, as described above in the "Security" section, or you may assign multiple managers to a group from the Groups page. Viewing All Assigned Managers
You may view all managers and their security levels, including those only included by an LDAP group, by going to the All Assigned Managers report, under the 'Statistics' screen.
Management 36 Groups
The Groups page provides a listing of all user defined and built-in groups which hold users. The built-in groups are the Public and Exempt groups. By creating and using additional groups, you have flexibility in creating filtering policies and more detailed information in reports.
Users are assigned to a group either manually or by LDAP and each group has its own filtering policy. Each group's filtering policy can be customized to ignore, monitor, or block specific content categories at specific times of day. All unknown or unassigned users are assumed to be members of the Public Group and use its filtering policy. Therefore, it is recommended that the Public Group should have the most restrictive filtering policy. The Exempt Group's policy, which cannot be changed, always ignores all traffic.
Creating or Updating Groups
To create a group, click the Add button from the control bar near the top of the page. To update a group click the group's link. Once the dialog has opened, update the necessary information:
Management 37 Properties Tab
This tab contains the general properties of a NetSpective group. A unique group name is the only required field.
Management 38 LDAP
A NetSpective group can be configured to mirror the user list of a specific Group or Organizational Unit in a LDAP Directory. NetSpective will automatically synchronize itself periodically with the LDAP server to make sure its list of users is kept up to date.
Select a LDAP Source from the "Source" drop down. If you have not created a LDAP source, see LDAP Sources for details on creating one. After selecting a source, select a Group or OU from the "Object" drop down.
LDAP Priority
When NetSpective synchronizes with your LDAP Server it evaluates all NetSpective Groups by priority level then alphabetical order. A user that exists in more than one LDAP Group or OU will be assigned to the first NetSpective Group evaluated with one of the user's LDAP Groups or OUs. LDAP priority level will order groups with the lowest number first.
Alternate Days Policy
A Group may have an additional policy, referred to as an Alternate Day Policy, which applies only to certain days of the week. A Group's default policy will continue to apply to all other days of the week. YouTube | Schools
NetSpective can limit YouTube access to only educational videos on YouTube EDU by assigning a YouTube For Schools code to a NetSpective group. Members of the group will only be able to view videos YouTube has flagged as educational or videos found in the assigned account’s playlist. If you take advantage of this feature, ensure that the Flash protocol is not blocked in the Group Policy section for the group you are using this feature with.
YouTube enforcing Safe Search
Clicking the checkbox will enforce Safe Search for YouTube. This feature will also block SSL YouTube logins.
Redact Log Attributes
Traffic associated with a group may be logged, but certain attributes may be redacted including the source IP address, username and group name. This will only redact attributes on log data created after the settings are saved. The redacted data cannot be recovered.
Management 39 Block Override Tab
The block page override feature enables blocked web sites to be temporarily allowed for a certain period of time by entering a password or by providing credentials of an authorized manager. The override can affect the entire NetSpective group or just the user from which the override originated.
Block Overrides
Mode Either disabled, Group Override, or Individual Override.
Duration The number of minutes to override the block.
Authentication Enter a password that will be used to authorize override requests ‘Manager Credentials’ requires a manager’s login and password for
authentication. See the ‘Managers’ section for details on creating managers who can use this feature.
Notification After a specified number of block page overrides have been completed an email notification will be sent to administrators and managers when the option is enabled. In order to receive the email, the administrator and
managers must enable notification of Block Page Overrides in User Settings or Manager Properties.
Request Category Change
Enables users within the group to request a category change right from the block page.
Management 40 Abuse Settings
Different groupings of Abuse Settings, called Levels, can be configured and assigned to Categories. The assignment is done on the Group Policy page. Each Level has its own options for Notifications and Abuse Detection.
If Policy Reminder is enabled, users will be prompted with a page containing information on your company's Internet usage policy with the choice to accept or decline that policy. The page will only be displayed for categories marked as abusive and will prompt the policy after a specified number of hours. The page displayed can be configured in Filter Settings. For more information check the Policy Reminder documentation.
If Notification is enabled, the administrators and managers assigned to the group will receive an email notice once the notification limits have been met. If the administrator or manager does not wish to receive an email, they can turn off Abuse Settings emails in their User Settings.
If Abuse Detection is enabled, the users assigned to the group will be monitored for activity to categories marked as abusive. Once a user's abuse limit has been reached, either all other Categories marked with this abuse level, all of the user's Internet Activity, or just the user's Web Activity will be shut down (locked) for a certain period of time. To unlock a user that is currently locked, go to the Currently Locked Users page under the Statistics section.
Management 41 Managers
This tab shows the Group and Block Page Override managers who are assigned to the selected group. You may change manager assignments by checking or unchecking the check box next to each manager or manager group name. If a group of managers is checked, its members are also shown with gray check marks next to their names indicating that they are all assigned to the group.
Assigning Users to Groups
Users are assigned to groups in the Users section. See the help on Users for more information on assigning users to groups.
Deleting Groups
To delete groups select the check box next to each group's name. To delete all groups displayed on the current page, select the check box in the upper left-hand portion of the table. Once the groups are selected, click the Delete button to delete the groups. If all groups on a page are selected, the option to select the groups on every page will become available.
Importing Groups
Groups can be imported from a simple text file. The first row can be an optional header row. The following is an example of the file format:
"Groups" "Group #1" "Group #2" "Group #3"
To import, select the 'Import' button from the control bar. Once the dialog is open, click the 'Browse...' button and select the file you wish to import. Click 'OK' and the import will begin.
Management 42 Exporting Groups
To export, select the 'Export' button from the control bar. When your browser's download dialog appears, select where you would like to save the export file.
The groups exported will reflect what is currently being displayed. The search field will also affect the results of the export.
Group Policy
Every group has its own policy that can Block, Monitor, or Ignore internet activity based upon category and time of day. The policy is displayed as a grid with categories as the vertical axis and time of day as the horizontal axis. Each box in the grid is a color which represents the action to take.
The "Allow Unauthenticated Flag" only appears in the Public Policy. This flag can be placed on categories to designate that not authentication is necessary to access these sites. In the example above,
background services and servers are not only allowed access, but will not prompt for authentication when